The Real Life Risks of Re Using The Same Passwords
And Establish a Safe Password Policy....
In December of 2016, Yahoo announced it had uncovered a massive data hack, compromising more than 1 billion user accounts. This was in addition to an earlier 2014 data breach, which had affected over 500 million users. While users may scream for blood when such a breach happens - usually blaming the owners of the affected websites - the real culprit can likely be found in their own bathroom mirrors.
You see, many data breaches are caused by one seemingly innocent common factor: computer and mobile device users reuse their passwords on multiple websites at an alarmingly high rate.
We’re all only human. (Well, except for Sheldon Cooper - we’re not exactly sure what he is just yet.) One thing we all have in common is that we usually have a hard time remembering the 90 billion passwords we use each and every day to log in to our email, bank accounts, app stores and dating services. (90 billion is merely a rough estimate; your mileage may vary.)
Many users have come upon what they believe is an excellent solution. Why not just use the same password on every site or service they access? The problem of remembering all of those passwords is instantly solved!
Nope - not so fast.
A 2006 study of half a million computer users monitored over a three-month period found that each user had, on average, 25 accounts, but only 6.5 passwords. That means each participant used the same password on an average of 4 sites. The study also showed that a large percentage of weak passwords were reused.
Fraction of the number of sites that share a password for weak passwords (bitstrength < 30 bits, in lavender), strong passwords (bitstrength > 60 bits, in yellow) and the overall average (in purple). The weaker a password, the more it tends to be shared at more sites, while stronger passwords are used at fewer sites.
This means that if a hacker gets access to the username/password combination used on one website, there’s an excellent chance that same information will gain them access to other websites and services that are on their hitlist.
While we cannot discount hackers’ use of keyloggers and malware to gain entry into users’ private accounts, it still stands to reason that the easiest way to gain access to any group of accounts is the path of least resistance: duplicate login/password combinations that have been harvested from other website breaches.
In this article, I take a look at why password reuse is a bad habit to fall into, and what the consequences of this practice can be. I’ll also share what users can do to get out of, and stay out of, this horrible habit. Plus, I’ll share some apps and services with you that can help you create, remember and manage your passwords and other valuable information.
Why Reusing Passwords is a Bad Thing
While the great majority of users know password reuse is a bad thing, they continue to do it. A survey conducted by the password-management app developer LastPass of 2,000 internet users from the U.S., Germany, France, New Zealand, Australia and the U.K. shows the following:
Findings at a Glance
91 percent know there is a risk when reusing passwords, but 61 percent continue to do so.
Only 29 percent of consumers change their passwords for security reasons - the #1 reason people change their passwords is because they forgot it.
People prioritise their financial accounts (69 percent) over retail (43 percent) social media (31 percent) and entertainment (20 percent).
The LastPass study also reports that 110 million Americans over the age of 18 had their personal information exposed by hackers in 2014. An average of 19 people become victims of identity theft every minute. It takes an average of 18 months and 200 hours of work to recover from identity theft.
Does any of this make you think twice about using the same password across multiple sites? Because it definitely should.
Human nature is to blame for much of the situation we now face. It’s only human that, when confronted with an overwhelming number of websites, devices, apps and networks that require login credentials, we’re hit by "Security Fatigue." This can result in a "don't give a damn" attitude about password reuse. Reusing a password is simply the path of least resistance.
Your personality can also put you at risk. The same LastPass report indicates both Type A and Type B behavioral patterns can put users at risk.
Type A folk believe that even though they reuse passwords, they are not at risk due to their own organized system as well as their proactive skills.
Meanwhile, Type B people convince themselves that their accounts are of little value to hackers, allowing them to maintain a casual attitude toward password reuse.
Want to get a bit of a shock? Put your email address into the Have I Been Pwned? website and see if your account has been compromised in any of the numerous data breaches reported over the last few years.
I tried each of my numerous email addresses one by one and found I was more surprised when an email address proved NOT to have been affected by a breach, rather than having been affected by one.
It’s easy to see how one website being hacked leads to another being hacked, and so on, and so on. A big reason for this is password reuse. In March 2017, a hacker group known as the “Turkish Crime Family” claimed to have access to 250 million iCloud accounts.
While their claims were dismissed by some, the Turkish Crime Family did furnish 54 iCloud credentials to ZDNet, many of which the publication confirmed were valid by contacting the users in question.
The Turkish Crime Family group demanded a hefty ransom, payable by Bitcoin of course. The group said they would reset millions of iCloud accounts, while also remotely wiping the accounts’ associated iOS device, if the ransom wasn’t paid by a certain date.
200 Million iCloud accounts will be factory reset on April 7 2017— Turkish Crime Family (@turkcrimefamily) March 21, 2017
"The alleged list of email addresses and passwords appears to have been obtained from previously compromised third-party services," Apple said in a statement to CNET.
Most of the iCloud users that were on the hacker’s list of 54 confirmed to ZDNet that they had used their iCloud email address and password elsewhere, such as on Facebook, Twitter and other popular websites. However, three of the people contacted said their login information had only been used on iCloud.
An April 10, 2017 report said the Turkish Crime Family has claimed victory, saying Apple had given in and paid the ransom. A wallet posted by the family showed a payment of 401.731 bitcoin ($508,459) was paid on April 7, 2017. Whether Apple actually paid or not, there have been no reports of any wiped iCloud accounts.
While there is no way of proving it for sure, it certainly appears that password reuse could have had a hand in the hacking of the iCloud credentials.
iCloud users who have protected their account with two-factor authentication can rest easy. Hackers shouldn’t be able to access their accounts, as extra information besides just a password is needed to log in to an iCloud account on an untrusted computer or mobile device. (We’ll discuss two-factor authentication and how it works a bit later in this article.)
While reusing your password to access multiple websites or services may solve the absentminded-professor issue of knowing your password when needed, it creates a number of other problems that could greatly affect your life.
By reusing a password on multiple logins, users are making it just that much easier for the bad guys to access their data, bank accounts and other important information.
Plus, many websites - and shame on them for this - require users to make use of their email address when they sign up for access to a website. So now, the bad guys not only have a login and password, but they also have an email address the victim probably uses on a regular basis.
This is a great way to find yourself buying a $1,500 drone for someone else via your personal or business credit card account. The good news is that you didn’t have to lift a finger to do so. The bad news is that you didn’t have to lift a finger to do so.
Do car dealers take credit cards? Hmmm…
How to Avoid Password Reuse
If you’re in the deep dark pit of reused passwords, it’s not easy to climb out. All the good intentions in the world won’t help if you don’t make some real changes in your online actions.
I can almost hear you saying to yourself as you read these words, “Self, what this guy is saying makes sense, but I log in to a LOT of websites and apps - there is no way I can ever remember my passwords if I don’t use the same old go-to words and phrases.”
While what you’re thinking may seem to have a ring of truth to it, there are ways of diversifying your passwords without experiencing memory strain. Here’s how to do it.
Get a password management app
We’ll take a closer look at which apps are available, and whether they’re right for you, a little later in this article. But for now, just know that you should use one.
They’re easy to set up, and they can even notice when you’ve entered a new login/password for a website and automatically save that information. They can also create and store strong passwords for any login, making it much easier to avoid the password-reuse gremlin.
Change the passwords for all of your website logins and online services
This will be a pain in the butt, yes, but we’re doing the Computer Gods’ work here. So, chill out a bit and resolve yourself to doing the work to fix this mess you’re in. (I hope you didn’t have any plans for tonight!)
Store each new login/password combo in your new password-management app
While this sounds like a lot of work, many password managers include a browser plugin as part of their feature set. This allows the app to recognize when new logins are created, and it will prompt you to name and save the information. (It will even remember the website you’re on, so it’ll have the login info ready the next time you visit the site.)
Make sure you haven’t duplicated any passwords
After you’ve changed all of your passwords (hopefully using the password manager’s ability to create strong passwords on the fly), check to make sure you haven’t duplicated any of the passwords. (Again, most password-management apps include this ability in their feature set. We’ll look closer at this later.)
Continue to create only unique passwords for each new login you create on any website, computer, online service or corporate server
This cannot be stressed enough. Read my virtual lips: No. Duplicate. Passwords.
Other Ways to Make Your Passwords More Secure
We’ve already stressed the idea that you shouldn’t use the same password across multiple websites and other logins, but how else can we make our passwords more secure?
And, what if we need to create a password when we don’t have our handy-dandy password-management app nearby?
Here are some methods you can use to keep passwords secure in your day-to-day online work and play.
Be sure no one is watching you enter your password.
Always log off your computer or mobile device before leaving it unattended.
Make regular use of security software on your computer. Scan for keyloggers and malware regularly.
Don’t log in to your personal accounts on a shared computer.
This includes those found at libraries or internet cafés. (Are those still a thing?)
Never enter your passwords while on an unsecured network.
Unsecured networks can be found at coffee sho
ps and airports in the form of Wi-Fi hotspots. (Those are still a thing.)
This keeps the information you send and receive secure from prying eyes, like those of hackers, the government and other parties who would like to monitor your online activities.
Change your passwords on a regular basis.
Sure, you’ve taken steps to protect your passwords, but you could still get caught up in a data breach because some other joker wasn’t as conscientious.
If you’re forced to create a password for a new account manually, create a strong password.
This will be something that is easy to remember, but not obvious. (Stop using “LordFluffykins” as your password - I don’t care if he is the coolest cat ever!) Make sure that it’s at least 12 characters long, and use numbers and symbols if allowed. Something like “H3ll0Th3r3:)” instead of “HelloThere.”
Create a password by creating a shape on the keyboard. For example, “#3eFvGy7&” makes a “V” shape on a QWERTY keyboard.
If you are not using your own computer or mobile device when you create the new passwords (following the instructions in #8 or #9), be sure to update them in your handy-dandy password manager the first chance you get.
Speaking of Password Managers...
As promised, it’s time to take a look at the various password-management apps that are currently available. Keeping in mind that a great number of you are not confined to one computing platform, I’ll be offering information on apps that are available on the four most popular computing platforms: Windows, macOS, iOS and Android.
What is a Password Manager?
A password manager is an app that allows users to securely store and retrieve login and password information used to log in to networks, websites, apps and other services. Password managers can be accessed from a web browser or installed on a user’s computer or mobile device.
All of the stored data is encrypted and is accessed by using a master password. This is a great advantage, as login credentials and other personal information are securely protected, and the user need only remember a single password to access it all.
Most password managers make use of cloud storage to sync all information between the app’s website and the user’s mobile devices and computer. This allows users to have up-to-date access to all of their information.
A good password manager will offer secure storage of your login information, syncing between devices, the ability to create secure passwords, the storage of notes and a browser plugin, at the very least.
Password Manager Companies
I’ll let you know from the outset that 1Password is my password manager of choice. I have been using it for years, and I find that it fits my particular needs quite well, thank you. That said, let’s take a closer look at the app.
1Password is available on every popular platform, including Windows, macOS, iOS and Android. The app keeps all login and password information locked behind a password on Mac or Windows computers.
Mobile users can make use of a password, a PIN, or, on compatible devices, a fingerprint scan.
All information stored in the 1Password app is protected with strong AES-256 encryption. The app can not only store and recall your usernames and passwords, but it can also store notes, credit and debit card numbers, receipts, bank account numbers and more. All of this information is encrypted and password-protected.
All information saved in 1Password on any device or computer is also available on all of your other devices, as long as they have 1Password installed. This is especially handy for someone like myself who uses two Macs, an iPhone and an iPad at various times during my day. I probably use 1Password at least ten times a day to recall login information or a particular account number.
The 1Password apps are free. However, there is a $2.99-per-month subscription required to access all of the app’s features, following a free 3-day trial period. A $4.99-per-month Family subscription is also available that allows up to 5 family members to access the app. Additional family members can be added for only $1 per month each.
Both plans offer email support, all app upgrades, 1GB of cloud storage and a 365-day item-history feature that allows you to restore deleted passwords and other items. Data can be stored locally on the device or synced via Dropbox, iCloud (only on Mac and iOS devices) or your own wireless network. If you spring for the monthly subscription, you can store your data on the AgileBits servers, using 1Password’s end-to-end security.
AgileBits also offers a 1Password plan for businesses, with services running from a Standard level for smaller businesses, all the way up to an Enterprise level for larger companies.
For more information about 1Password and its features, visit the 1Password website.
LastPass provides a number of features, many of them the same or quite similar to 1Password. The app is available for macOS, iOS and Android. It also offers a browser extension for Chrome, Firefox, Safari, Internet Explorer, and Opera on macOS, Windows and Linux. In addition, Windows Phone and Firefox OS versions are available. The LastPass website is accessible on all computers and devices.
The app is free and offers a number of features without the need to spring for a subscription.
Free features include:
A $12-per-year subscription will net you everything listed in the free feature list, plus:
Business Teams and Enterprise subscriptions are also available. For more information about the LastPass password-management app, visit the LastPass website.
Dashlane is another feature-packed password manager available for free, but also offering subscription options that bring premium features. The app is available for Windows, macOS, iOS and Android. In addition, Dashlane provides extensions for use with the Chrome, Firefox, Internet Explorer, Safari and Opera browsers.
Dashlane includes most of the popular features that seem to be common among password-manager apps while also adding a trick or two of its own, such as instant security alerts and an automatic password changer. The app does the standard password storage and recall routine. You can import password information from other apps or enter them as you browse the web.
The Instant Security Alerts feature sends notifications directly to your computer or mobile device when sites suffer a security breach. That feature, along with a built-in, strong password generator and a unique feature that can change your previously-set passwords with just the tap of a button allows you to respond quickly to a security breach.
While the password changer doesn’t work on every website, Dashlane says it currently works with hundreds of popular U.S. websites, including Hulu, Redbox, Kickstarter, The Weather Channel, Domino’s and many more. A full list of compatible sites is available on the Dashlane website.
The Dashlane app also offers an autofill-of-logins feature, both on desktop and mobile devices. The app includes a handy digital wallet which allows you to store your credit and debit card information, bank account or PayPal info and use it to gain express checkout when shopping online. The app can also store digital snapshots of your receipts for later reference.
All information stored inside the Dashlane app is protected by AES-256 encryption. All data can be saved local-only or backed up to the cloud. All info is synced across all your devices and is protected locally by a password, PIN or fingerprint on compatible devices.
Dashlane is free, and you receive access to all of the features of Dashlane Premium for the first 30 days you use the app. Dashlane Premium offers the ability to use Dashlane on an unlimited number of devices, with automatic sync and backup for your account. It also allows unlimited sharing for passwords and notes, and provides priority support. Dashlane Premium is $39.99 per year.
For more information about Dashlane and Dashlane Premium, visit the Dashlane website.
The RoboForm password-manager app remembers all of your passwords, and you only have to remember one password to access them all.
The app is available on Windows, macOS, iOS, Android, Linux and Chrome OS. It also offers extensions for all of the popular browsers, including Safari, Chrome, Firefox, Opera and Internet Explorer. A handy syncing function keeps all of your password information up to date across all your devices.
RoboForm has the usual features that apps in this genre typically have. It stores all of your login and password information, automatically remembering them as they are created and storing them to use for one-click logins when needed.
The app has a password generator as well as organization abilities, which include folders and search functionality. All data stored in the app is protected via AES-256 encryption with PBKDF2 SHA256, 4096 iterations.
RoboForm audits your passwords for strength and checks to make sure you haven’t used a password on more than one website. The app can also import passwords from most major password managers as well as a CSV file.
Furthermore, the app stores encrypted text notes and keeps all of the information synced across multiple devices.
RoboForm provides 2 levels of service: “RoboForm Free” and “RoboForm Everywhere.”
“RoboForm Free” offers unlimited logins, cross-platform support, strong encryption, a password-auditing feature, application logins and the ability to fill web forms automatically.
“RoboForm Everywhere” level offers all of the above, while also providing cloud backup, securely-shared logins, web access, and premium email and phone support.
RoboForm Everywhere is available in 1-year, 3-year and 5-year subscriptions for $19.95, $49.95 and $74.95, respectively. For more information about the RoboForm password manager, visit the RoboForm website.
A Warning About Password Manager Browser Plugins
Before finishing up this section on password managers, I’d like to warn you about using the browser plugins and extensions offered by the various developers.
As I was working on this article, it was reported that Google researcher Tavis Ormandy had discovered a security vulnerability in the LastPass browser extension for certain browsers. The flaw allows attackers to steal passwords or execute code in the affected browsers.
“We are now actively addressing the vulnerability. This attack is unique and highly sophisticated,” announced a LastPass spokesperson. “We don’t want to disclose anything specific about the vulnerability or our fix that could reveal anything to less sophisticated but nefarious parties. So you can expect a more detailed post-mortem once this work is complete.”
While there haven’t been reports of other password manager plugins and extensions being affected by the same type of security hole, all users are warned to either launch websites directly from inside the password manager app, use two-factor authentication (discussed below) and beware of phishing attacks.
What all this means is that no matter how many steps you take to guard your passwords and other information, nothing is 100% safe. Always practice safe computing, which is the online equivalent of keeping your purse close to your chest while keeping an eye out for suspicious characters in a sketchy neighborhood.
Other Password Managers
There are numerous other password-manager apps available for almost any computing platform you could name. However, they either do not offer versions for all of the popular platforms, or they require technical knowledge that might be beyond that of the casual user, so they are not listed here.
For a comprehensive list of those password managers, visit Wikipedia.
Use Two-Factor Authentication Where Available
I have found that two-factor authentication (2FA) is one of the best methods available to protect your accounts from being hacked, even if you were silly enough to use the same login credentials on multiple websites.
Accounts that are protected by two-factor authentication require two ingredients to authorize access to the accounts. It has been best described as making use of something you know (your account password), and something you have (such as your smartphone).
Two-Factor Authentication Walk-Through
The following takes place when using Apple’s two-factor iCloud account authentication:
1. When I enter my login information on a new device or browser for the first time (in this case, a previously-untrusted browser), I enter my username and password as usual.
2. I then receive a notification on my trusted devices - which include my iPhone, iPad and Mac - that a sign-in has been requested using my login credentials. Since it is indeed me who is attempting to log in, I tap the “Allow” button on the prompt.
3. Next, I am shown a 6-digit authorization code to enter on the new device or browser I am logging in on.
4. Once the code is correctly entered, the device will be trusted and Apple will allow me to log in. I won’t be asked for a verification code on that particular device or browser again unless I sign out of it completely, erase the device or change my password.
5. Finally, Apple sends me an email notifying me of the sign-in as an extra layer of protection.
While not every website or online service offers two-factor authentication, the number is growing every day. Currently, major online service providers such as Apple, Google, Microsoft, Twitter, Facebook, PayPal and Dropbox now furnish some method of two-factor authentication to protect their customer’s accounts and data.
Financial firms have also rightly jumped onto the two-factor bandwagon, with such firms as Chase, Bank of America, Discover, Wells Fargo and others currently offering the extra protection.
If you’re not sure if your favorite website features two-factor authentication, check with customer support for the website in question, or you can visit twofactorauth.org, which does an excellent job of tracking which websites currently offer the extra security to their users. (If your favorite site isn’t shown as supporting 2FA on the twofactorauth.org site, a handy contact button is supplied so you can urge them to provide it.)
What Online Services are Doing to Help
We’ve spent a lot of time in this article harping on what you can do to protect yourself. Luckily, fixing the password-reuse mess isn’t entirely on your shoulders.
Many websites and online services are putting measures in place to issue a warning when they find that a user has used the same password on their website that they did on a hacked website.
Facebook has been known to examine data leaked in password breaches of other websites to look for any evidence that users are reusing their Facebook passwords on hacked sites. Following a 2013 breach at Adobe, which exposed millions of their customers’ login info and other data, the social network dug through the exposed data stash for password reuse by its users.
If a match is found, Facebook sends a notice to the affected user, telling them they’ll need to answer a few security questions and change their password. To encourage the user to change their password, Facebook keeps their page and posts invisible to other users until the login credential has been changed.
Netflix also takes steps to warn its users when security breaches on other membership websites have taken place. The streaming entertainment company warned many of its users following the 2015 data breach at extramarital “dating” site Ashley Madison, as well as breaches at LinkedIn, Tumblr and MySpace.
“We believe your Netflix account credentials may have been included in a recent release of email addresses and passwords from an older breach at another company,” the message from Netflix read. “Just to be safe, we’ve reset your password as a precautionary measure.”
Netflix’s forensics team reportedly uses a homegrown tool called Scumblr, which is a Ruby on Rails web application that allows searching the internet for sites and content of interest. The team says the tool makes it easier for teams to “stay on the lookout for internet-based discussions, posts, and other bits that may be of impact to the organizations they are protecting.”
More information about the Scumblr tool can be found at the link above.
The online world continues to become a more dangerous place to work and play, and any measures you can put in place to make it tougher for the bad guys to access your personal and business information should be enabled as soon as possible.
As we’ve just seen, you can make things tougher for the bad actors of the world by embracing just a few simple practices that will give you another level of protection. Let’s review.
Never Reuse Passwords
This layer of protection can never be stressed enough. In my humble opinion, this is the most important thing the average user can do to protect their information from prying eyes. ALWAYS use a different password when you set up a login on any new website or online service.
Reusing a password simply aids hackers who might hack the user base of a website. If the bad guys can take the login information they’ve harvested from one hack and use it to log in to the same user’s account on another, more important website, they’ve hit the jackpot.
Password re-use can lead to losing your privacy, exposing your personal information, and possibly losing the money in your bank accounts and damaging your credit rating. Always. Use. A. New. Password.
Only Use Secure Passwords
Now that you have it in your head to never reuse a password, let’s also hammer home another important rule: ALWAYS create a secure password. By “secure,” I don’t mean the name of your favorite cat, the street you grew up on or your mother’s middle name. (SIGH! You’ve probably already used those passwords on one site or another anyway…)
A secure password makes use of upper- and lowercase alpha characters, numeric characters and special symbols. It should also be at least 12 characters long. (Seems arbitrary, but most of the sources I found suggest at least 12-character passwords.) The longer and more jumbled the password, the tougher it is to guess or crack it using a dictionary-based cracker.
Some websites won’t allow using special characters in a password (shame, shame), and other sites limit the length of a password. Make sure to check the rules of the website. (It’ll probably warn you if you try to use a disallowed character or too many characters.) But always use the longest, most jumbled password you feel comfortable with. (And use a password-management tool, which we revisit next.)
Make Use of Available Password-Management Tools
Now that you’re in the habit of using a different password for every online account, and you’re also creating strong passwords, you are now faced with the hassle of remembering said passwords. So, grab one of the password-management tools that I told you about previously.
While password-management apps and browser plugins have been found to bring their own security flaws to the table, they are still a valuable tool in your battle to keep your information away from prying eyes.
Password-management tools are available for almost every popular computing and mobile platform. Plus, passwords saved on your computer are synced to your mobile devices (and vice versa), making it convenient to take advantage of the protection they offer.
Can’t remember that password you set up for Facebook? Log in to your password manager and pop it into the login fields with just one click.
Don’t want to deal with the hassle of coming up with a unique 12-character password? Click another button in the password app to instantly create and save a new password.
I, myself, could not live online without my password-management app of choice and can’t understand why anyone would attempt to do so. Get a password manager. They’re usually free or priced quite reasonably. They are SO worth it!
Stay Safe Out There Folks!
I sincerely hope you take this article to heart and take a close look at the way you use passwords online. With just a little extra effort, you can add another, very important layer to your online security.
Visit the websites of the password managers I’ve listed in this posting, examine the features of all of the apps and make a decision about which app best fits your needs. Download and install it on the computers and mobile devices that you use daily. After that, begin auditing your password usage. Change passwords when needed, adding them to your password manager.
After all of your passwords are entered, run an audit (if the app supports it) to see exactly where you need to make changes. Get rid of any duplicate passwords and create new, strong passwords for all of your logins. Your privacy - and your checkbook - will thank you.